CVE-2026-53224
Received Received - Intake
Linux Kernel SCTP Cookie Parsing Memory Corruption

Publication date: 2026-06-25

Last updated on: 2026-06-25

Assigner: kernel.org

Description
In the Linux kernel, the following vulnerability has been resolved: sctp: validate embedded INIT chunk and address list lengths in cookie sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but did not ensure that the INIT chunk is large enough to contain a complete INIT header. A malformed COOKIE_ECHO can therefore carry a truncated INIT chunk whose length field is smaller than sizeof(struct sctp_init_chunk). Later, sctp_process_init() accesses INIT parameters unconditionally, which may lead to out-of-bounds reads. In addition, raw_addr_list_len is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len and cause sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads. Fix this by: - requiring the embedded INIT chunk length to be at least sizeof(struct sctp_init_chunk); - validating that the INIT chunk and raw address list together fit within the cookie payload; - verifying sufficient data exists for each address parameter header and payload before parsing it. Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled. This will be addressed in a separate patch.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-25
Last Modified
2026-06-25
Generated
2026-06-25
AI Q&A
2026-06-25
EPSS Evaluated
N/A
NVD
CVE-2026-53224
EUVD
EUVD-2026-39315
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
linux linux_kernel *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Linux kernel's SCTP (Stream Control Transmission Protocol) implementation, specifically in the handling of embedded INIT chunks and address list lengths within a cookie.

The function sctp_unpack_cookie() only checked that the embedded INIT chunk length did not exceed the remaining cookie payload, but it did not ensure that the INIT chunk was large enough to contain a complete INIT header. This allows a malformed COOKIE_ECHO message to carry a truncated INIT chunk with a length smaller than the expected size.

As a result, later processing in sctp_process_init() accesses INIT parameters without proper validation, which can lead to out-of-bounds reads.

Additionally, the raw_addr_list_len field is not fully validated against the remaining cookie payload. When cookie authentication is disabled, an attacker can supply an oversized raw_addr_list_len, causing sctp_raw_to_bind_addrs() to read beyond the end of the cookie. The address parser also lacks sufficient bounds checks for parameter headers and lengths, allowing malformed address parameters to trigger out-of-bounds reads.

The fix involves requiring the embedded INIT chunk length to be at least the size of a complete INIT chunk, validating that the INIT chunk and raw address list together fit within the cookie payload, and verifying sufficient data exists for each address parameter before parsing.

Impact Analysis

This vulnerability can lead to out-of-bounds memory reads in the Linux kernel's SCTP implementation.

An attacker could exploit this by sending malformed COOKIE_ECHO messages with truncated or oversized embedded INIT chunks or address lists, potentially causing the kernel to read memory beyond intended boundaries.

Such out-of-bounds reads may lead to information disclosure, kernel instability, or crashes, depending on how the memory is accessed and handled.

Mitigation Strategies

The vulnerability is fixed by validating the embedded INIT chunk length and the raw address list length within the SCTP cookie payload to prevent out-of-bounds reads.

  • Ensure that the embedded INIT chunk length is at least the size of struct sctp_init_chunk.
  • Validate that the INIT chunk and raw address list together fit within the cookie payload.
  • Verify sufficient data exists for each address parameter header and payload before parsing.

Note that sctp_verify_init() must be called after sctp_unpack_cookie() and before sctp_process_init() when cookie authentication is disabled; this will be addressed in a separate patch.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53224. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart